From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Mon, 21 Jun 2021 14:54:16 +0000 (+0200)
Subject: auth: correctly respect direct-dnskey when putting DNSKEY/CDS/CDNSKEY in NSEC(3)... 
X-Git-Tag: dnsdist-1.7.0-alpha1~136^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F10514%2Fhead;p=thirdparty%2Fpdns.git

auth: correctly respect direct-dnskey when putting DNSKEY/CDS/CDNSKEY in NSEC(3) bitmaps. Thanks @mind04. Fixes #10516
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 6c568b583f..84a6bd983e 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -627,6 +627,9 @@ void PacketHandler::emitNSEC(std::unique_ptr<DNSPacket>& r, const DNSName& name,
       nrc.set(QType::A);
       nrc.set(QType::AAAA);
     }
+    else if((rr.dr.d_type == QType::DNSKEY || rr.dr.d_type == QType::CDS || rr.dr.d_type == QType::CDNSKEY) && !d_dk.isPresigned(d_sd.qname) && !::arg().mustDo("direct-dnskey")) {
+      continue;
+    }
     else if(rr.dr.d_type == QType::NS || rr.auth) {
       nrc.set(rr.dr.d_type);
     }
@@ -691,6 +694,9 @@ void PacketHandler::emitNSEC3(std::unique_ptr<DNSPacket>& r, const NSEC3PARAMRec
         n3rc.set(QType::A);
         n3rc.set(QType::AAAA);
       }
+      else if((rr.dr.d_type == QType::DNSKEY || rr.dr.d_type == QType::CDS || rr.dr.d_type == QType::CDNSKEY) && !d_dk.isPresigned(d_sd.qname) && !::arg().mustDo("direct-dnskey")) {
+        continue;
+      }
       else if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) {
           // skip empty non-terminals
           n3rc.set(rr.dr.d_type);